Administrator / spring-boot-microservices-onlineshooping-fullstack · Files

nginx.conf 5.07 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 
events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    
    # Logging format that includes X-Forwarded-For from ALB
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" '
                    'proxy: "$proxy_host" "$upstream_addr"';
    
    access_log /var/log/nginx/access.log main;
    error_log /var/log/nginx/error.log warn;

    # Basic settings
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types
        text/plain
        text/css
        text/xml
        text/javascript
        application/json
        application/javascript
        application/xml+rss
        application/atom+xml
        image/svg+xml;

    server {
        listen 80;
        server_name localhost;
        root /usr/share/nginx/html;
        index index.html;

        # Security headers - ALB handles some, but we add additional ones
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "no-referrer-when-downgrade" always;
        add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;

        # Handle client-side routing - IMPORTANT for SPAs
        location / {
            try_files $uri $uri/ /index.html;
            # Don't cache HTML to ensure fresh content
            add_header Cache-Control "no-cache, no-store, must-revalidate";
        }

        # API proxy - updated for ALB architecture
        location /api {
            # Proxy to API Gateway service in Kubernetes
            proxy_pass http://api-gateway-service:8080;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            
            # ALB passes client IP in X-Forwarded-For
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            
            proxy_cache_bypass $http_upgrade;
            
            # Timeout settings
            proxy_connect_timeout 30s;
            proxy_send_timeout 30s;
            proxy_read_timeout 30s;
            
            # Buffer settings
            proxy_buffering on;
            proxy_buffer_size 4k;
            proxy_buffers 8 4k;
            
            # Don't cache API responses by default
            add_header Cache-Control "no-cache, no-store, must-revalidate";
        }

        # Health check endpoint for ALB
        location /health {
            access_log off;
            add_header Content-Type text/plain;
            return 200 "healthy\n";
        }

        # Cache static assets aggressively
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
            expires 1y;
            add_header Cache-Control "public, immutable, max-age=31536000";
            access_log off;  # Reduce log noise for static assets
        }

        # Cache media files
        location ~* \.(mp4|webm|ogg|mp3|wav)$ {
            expires 6M;
            add_header Cache-Control "public, immutable";
            access_log off;
        }

        # Cache text files
        location ~* \.(json|xml|txt)$ {
            expires 1h;
            add_header Cache-Control "public";
        }

        # Robots.txt
        location /robots.txt {
            add_header Content-Type text/plain;
            return 200 "User-agent: *\nDisallow: /api/\nAllow: /\n";
            access_log off;
        }

        # Favicon - prevent 404 errors
        location = /favicon.ico {
            log_not_found off;
            access_log off;
        }

        # Prevent access to hidden files
        location ~ /\. {
            deny all;
            access_log off;
            log_not_found off;
        }

        # Error pages
        error_page 404 /index.html;
        error_page 500 502 503 504 /50x.html;
        
        location = /50x.html {
            root /usr/share/nginx/html;
            internal;
        }
    }
    
    # Optional: Additional server block for redirecting to HTTPS
    # Since ALB handles SSL termination, this might not be needed
    # but can be useful for direct access scenarios
    server {
        listen 8080;
        server_name _;
        
        location /health {
            access_log off;
            add_header Content-Type text/plain;
            return 200 "healthy\n";
        }
        
        # Deny all other traffic to this port
        location / {
            return 403;
        }
    }
}